| name | gdpr-compliance |
| description | GDPR and data protection patterns for handling European Parliament personal data with privacy by design |
| license | MIT |
GDPR Compliance Skill
Context
This skill applies when:
- Processing personal data from European Parliament (MEP information)
- Implementing data minimization strategies
- Supporting GDPR rights (access, rectification, erasure)
- Implementing audit logging for personal data access
- Designing privacy-by-design features
- Handling data retention and deletion
- Implementing consent mechanisms
- Creating data protection impact assessments
GDPR (EU Regulation 2016/679) applies to all processing of EU citizens' personal data. Even though MEP data is public, GDPR principles still apply.
Rules
- Data Minimization: Only collect necessary personal data fields
- Purpose Limitation: Use data only for stated purpose (parliamentary information)
- Storage Limitation: Cache personal data for max 24 hours
- Accuracy: Maintain data integrity, support corrections
- Lawful Basis: Public interest (GDPR Art. 6(1)(e)) for MEP data
- Audit Logging: Log all personal data access
- Right to Rectification: Support data correction requests
- Right to Erasure: Limited for public figures (GDPR Art. 17(3)(e))
- Data Protection by Design: Build privacy into architecture
- Transparency: Document all data processing activities
Examples
✅ Good Pattern: Data Minimization
interface MEPPublicData {
id: number;
fullName: string;
country: string;
partyGroup: string;
active: boolean;
}
const DATA_PURPOSE = 'Providing public parliamentary information via MCP protocol';
✅ Good Pattern: Audit Logging
function logPersonalDataAccess(
actor: string,
subject: string,
purpose: string
): void {
auditLog.record({
timestamp: new Date().toISOString(),
eventType: 'personal_data_access',
actor,
subject,
purpose,
legalBasis: 'GDPR_Art_6_1_e_Public_Interest',
});
}
logPersonalDataAccess(
'mcp_client',
'mep:12345',
'Parliamentary information query'
);
✅ Good Pattern: Right to Rectification
async function updateMEPData(
id: number,
corrections: Partial<MEP>
): Promise<void> {
const validated = MEPUpdateSchema.parse(corrections);
await updateMEP(id, validated);
invalidateMEPCache(id);
auditLog.record({
eventType: 'data_rectification',
subject: `mep:${id}`,
action: 'update',
details: corrections,
legalBasis: 'GDPR_Art_16_Right_to_Rectification',
});
}
✅ Good Pattern: Storage Limitation
const mepCache = new LRUCache<string, MEP>({
max: 1000,
ttl: 1000 * 60 * 60 * 24,
allowStale: false,
});
setInterval(() => {
mepCache.purgeStale();
}, 1000 * 60 * 60);
Anti-Patterns
❌ Bad: No Audit Logging
async function bad(mepId: number) {
return await getMEP(mepId);
}
❌ Bad: Excessive Data Collection
interface MEPBad {
id: number;
fullName: string;
privateAddress: string;
personalPhone: string;
familyMembers: string[];
medicalRecords: string;
}
❌ Bad: Indefinite Storage
const cache = new Map();
GDPR Rights Implementation
Right to Access (Art. 15)
async function getPersonalData(mepId: number): Promise<PersonalDataExport> {
return {
data: await getMEP(mepId),
purpose: DATA_PURPOSE,
legalBasis: 'Public interest (Art. 6(1)(e))',
retentionPeriod: '24 hours (cache)',
recipients: 'MCP clients',
};
}
Right to Erasure (Art. 17)
async function handleErasureRequest(mepId: number): Promise<ErasureResult> {
invalidateMEPCache(mepId);
return {
success: true,
scope: 'cached_data_only',
reason: 'Public figure exemption (GDPR Art. 17(3)(e))',
};
}
ISMS Compliance
- PR-001: Privacy by Design and Default (GDPR Art. 25)
- PR-002: Data Minimisation (GDPR Art. 5(1)(c))
- PR-003: Data Subject Rights (GDPR Art. 15–22)
- AU-002: Audit Logging for personal-data access
- SC-001: Transport security (TLS 1.3) for all personal-data flows
Policy References
Primary: Privacy Policy
Related policies: